Overview
MirrorIQ is a privacy-first GRC platform for cybersecurity teams working across multiple compliance frameworks, covering assessments (NIST CSF 2.0, SOC 2 Type II, HIPAA, ISO 27001, PCI DSS, and more), an evidence repository, SSP generation, and auditor collaboration. The core differentiator is a zero-knowledge architecture: assessment data is encrypted client-side before it leaves the browser.
My Role
Senior Software Engineer, AI Systems at Akylade, owning MirrorIQ end to end.
Full-Stack Engineering
Database schema, server actions, and full frontend across all subscription tiers.
Zero-Knowledge Encryption
Client-side crypto layer with key derivation, IndexedDB storage, and encrypted cloud sync.
Platform Architecture
Server components, React Query cache, server actions, Prisma ORM.
Third-Party Integrations
Stripe billing pipeline, AWS Cognito auth, SST infrastructure, and enterprise multi-tenant system.
Tech Stack
- Frontend
- Next.jsTypeScriptZustand
- Backend
- Server ActionsPrisma ORM
- Database
- MongoDB Atlas
- Auth
- AWS Cognito
- Payments
- Stripe
- Infra
- SSTAWS Lambda
Platform Features
Assessment Engine
Multi-framework control assessments with real-time maturity scoring, gap analysis, and POA&M generation.
Multi-Framework Support
NIST CSF 2.0, NIST AI RMF, SOC 2 Type II, HIPAA, ISO 27001, PCI DSS, and more from a single workspace.
Evidence Manager
Universal evidence repository with automatic control mapping, quality scoring, and full audit trail.
SSP Generator
System Security Plans for FedRAMP, CMMC, and StateRAMP with inline control authoring and document export.
Auditor Collaboration
Scoped workspaces for external auditors to request evidence, track findings, and issue remediation notes.
Zero-Knowledge Encryption
Assessment data encrypted in the browser before any write. The server stores only ciphertext.
POA&M Auto-Generation
Plan of Action and Milestones auto-generated for unmet controls and resolved when gaps close.
Enterprise Multi-Tenant
Organization-owned data model with team membership access control and reassignable admin contacts.
Technical Highlights
Zero-knowledge key derivation
Auth tokens carry session metadata that changes on every login, so the encryption key is derived from the stable parts of the user's identity combined with a per-user salt, making it reproducible across sessions without ever being stored. The server is architecturally incapable of reading user data, not just policy-restricted.
Storage adapter across four subscription tiers
Free, Professional Lite, Professional, and Enterprise each require a different storage mode: plaintext local, encrypted local, encrypted cloud sync, encrypted cloud with team collaboration. A storage adapter resolves the correct implementation at runtime, keeping all four platform pillars decoupled from billing logic. Local storage uses IndexedDB rather than the Web Storage API for capacity and predictable failure behavior.
Orchestrator for cascading calculations
Changing a single control response can ripple into maturity scores, gap status, POA&M item states, and cloud persistence simultaneously. The orchestrator runs these stages in a fixed order with a debounce: one user action, one job, each stage feeding its output into the next. POA&M items tied to newly-closed gaps resolve automatically.
Organization-owned data in the enterprise tier
Data is owned by the organization, not the individual. When someone leaves, their assessments and evidence stay with the team. The model separates owning organization (immutable), current admin contact (reassignable), and original author (audit trail only). Access is granted through team membership, not individual record ownership.